Bug 2203359

Summary: SELinux AVC from rhsm-service
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: selinux-policyAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: lvrabec, mmalik, ptoscano, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.13-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-05-16   

Description Marko Myllynen 2023-05-12 07:09:22 UTC 
Description of problem:
After booting up RHEL 9.2 system the following SELinux AVC appears:

type=AVC msg=audit(1683874450.081:120): avc:  denied  { module_request } for  pid=2803 comm="rhsm-service" kmod="tcp-ulp-tls" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

The module seems to have been loaded at some point:

# modinfo tcp-ulp-tls
filename:       /lib/modules/5.14.0-284.11.1.el9_2.x86_64/kernel/net/tls/tls.ko.xz
alias:          tcp-ulp-tls
alias:          tls
...
# lsmod | grep tls
tls                   131072  0

Version-Release number of selected component (if applicable):
selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
subscription-manager-1.29.33.1-1.el9_2.x86_64
Comment 1 Pino Toscano 2023-05-15 08:52:19 UTC 
Hm I guess the new kTLS module gets loaded automatically... and now every application that does TLS connections via lower-level libraries (CPython) needs their own SELinux rules? A bit of sigh...

(Side note: in case it applies, please fix this for Fedora as well, thanks!)
Comment 2 Nikola Knazekova 2023-05-16 09:51:05 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1689
Comment 4 Zdenek Pytela 2023-05-18 09:51:44 UTC 
(In reply to Pino Toscano from comment #1)
> Hm I guess the new kTLS module gets loaded automatically... and now every
> application that does TLS connections via lower-level libraries (CPython)
> needs their own SELinux rules? A bit of sigh...
I see it as a kind of a contest who is the first one, may be that's why the service does not fail eventually.

> 
> (Side note: in case it applies, please fix this for Fedora as well, thanks!)
We almost always make changes in Fedora first.
Comment 12 errata-xmlrpc 2023-11-07 08:52:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617